It’s critical to have recovery plans like business continuity, disaster recovery, and incident response plans. However, where many organizations fall short is in keeping these plans evergreen. An incident can blindside an organization when they discover its response plan no longer reflects the environment they need to protect.
So how can your organization keep its recovery plans accurate and up to date?
Include the Recovery Plan in Organizational Updates
A great way to keep your recovery plan up-to-date is to include it as a step in the change management process. Identify which business projects or changes might affect your IT recovery plans, then build a step into your project to update the recovery plan accordingly. Examples of changes that might affect your recovery plans include personnel changes, acquisitions, restructuring, and major technology upgrades. Changes in your operating environment, for example, new regulatory requirements, may also demand updates. The bigger the change, the more likely it is to affect your recovery plan!
Despite best efforts, it’s easy to overlook needed changes in your recovery plan. That’s why we recommend reviewing and re-approving any IT recovery plans on at least an annual basis. As with the initial development of IT recovery plans, it’s best to involve representatives from all the organization’s functional areas in the review.
Test Plans With Tabletop Exercises and Drills
Even a consistent update schedule and thorough overview of a recovery plan can’t always identify problems. The best way to check whether a recovery plan is solid is to test it! Performing a tabletop exercise can expose gaps or needed improvements in the recovery plan. In a tabletop exercise, participants are faced with a pretend scenario, and they run through a response, following the plan closely as their guide. It’s recommended to base a tabletop exercise on the highest risk attacks facing your industry. That means selecting scenarios that are common, or that could have a devastating effect.
Ideally, recovery plans should be tested on a regular basis, and re-tested after any major changes. Some organizations also choose to test their personnel backup plans by banishing one member of the team from the tabletop exercise!
Drills and tabletop exercises have made plenty of headway in recent years. At its simplest, organization may decide to run through the scenario verbally in a conference room. Some highly mature organizations run automated resilience tests continuously; an example of this is Netflix’s “Chaos Monkey”. Others have elaborate incident simulation systems.
Don’t be fazed by this – if the result of your exercise and resulting edits is a trusted recovery plan, you’ve been successful.
Can Sedara help you develop or test your IT recovery plans? If so, contact us!